// Copyright 2021 Google LLC. All Rights Reserved.
// 
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
// 
//     http://www.apache.org/licenses/LICENSE-2.0
// 
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
// GENERATED BY gen_go_data.go
// gen_go_data -package alpha -var YAML_instance blaze-out/k8-fastbuild/genfiles/cloud/graphite/mmv2/services/google/tier2/alpha/instance.yaml

package alpha

// blaze-out/k8-fastbuild/genfiles/cloud/graphite/mmv2/services/google/tier2/alpha/instance.yaml
var YAML_instance = []byte("info:\n  title: Tier2/Instance\n  description: DCL Specification for the Tier2 Instance resource\n  x-dcl-has-iam: false\npaths:\n  get:\n    description: The function used to get information about a Instance\n    parameters:\n    - name: Instance\n      required: true\n      description: A full instance of a Instance\n  apply:\n    description: The function used to apply information about a Instance\n    parameters:\n    - name: Instance\n      required: true\n      description: A full instance of a Instance\n  delete:\n    description: The function used to delete a Instance\n    parameters:\n    - name: Instance\n      required: true\n      description: A full instance of a Instance\n  deleteAll:\n    description: The function used to delete all Instance\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n    - name: location\n      required: true\n      schema:\n        type: string\n  list:\n    description: The function used to list information about many Instance\n    parameters:\n    - name: project\n      required: true\n      schema:\n        type: string\n    - name: location\n      required: true\n      schema:\n        type: string\ncomponents:\n  schemas:\n    Googleprotobufstruct:\n      type: object\n      x-dcl-go-name: ApiAttrs\n      x-dcl-go-type: InstanceGoogleprotobufstruct\n      description: The values of attributes to be provided for condition evaluation\n        when checking policy. The name of the attribute has to be unique within a\n        service and is using the format {service-fully-qualified-name}/{attribute-name},\n        e.g. 'compute.googleapis.com/loadBalancingScheme' for passing the load balancing\n        scheme in a forwarding rule to IAM. See tech.iam.SYSContext.api_attrs for\n        more context. [optional]\n    Instance:\n      title: Instance\n      x-dcl-id: projects/{{project}}/locations/{{location}}/instances/{{name}}\n      x-dcl-locations:\n      - zone\n      x-dcl-parent-container: project\n      type: object\n      required:\n      - name\n      - project\n      - location\n      properties:\n        alternativeZone:\n          type: string\n          x-dcl-go-name: AlternativeZone\n          description: Alternative zone.\n        authorizedNetworkId:\n          type: string\n          x-dcl-go-name: AuthorizedNetworkId\n          description: The name of the [network](/compute/docs/networks-and-firewalls#networks)\n            to which the instance is connected. If left unspecified, the `default`\n            network will be used.\n        createRecipe:\n          type: object\n          x-dcl-go-name: CreateRecipe\n          x-dcl-go-type: InstanceCreateRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceCreateRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceCreateRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceCreateRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceCreateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceCreateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceCreateRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceCreateRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceCreateRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceCreateRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceCreateRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceCreateRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceCreateRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceCreateRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceCreateRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceCreateRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        createTime:\n          type: string\n          format: date-time\n          x-dcl-go-name: CreateTime\n          readOnly: true\n          description: '[Output only] The time the instance was created.'\n          x-kubernetes-immutable: true\n        currentZone:\n          type: string\n          x-dcl-go-name: CurrentZone\n          readOnly: true\n          description: '[Output only] The current zone of the instance.'\n          x-kubernetes-immutable: true\n        deleteRecipe:\n          type: object\n          x-dcl-go-name: DeleteRecipe\n          x-dcl-go-type: InstanceDeleteRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceDeleteRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceDeleteRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceDeleteRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceDeleteRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceDeleteRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceDeleteRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceDeleteRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceDeleteRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceDeleteRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceDeleteRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceDeleteRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceDeleteRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceDeleteRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceDeleteRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceDeleteRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        displayName:\n          type: string\n          x-dcl-go-name: DisplayName\n          description: An arbitrary and optional user provided name for the instance.\n        enableCallHistory:\n          type: boolean\n          x-dcl-go-name: EnableCallHistory\n          description: Enables call history for recipe steps.\n        etag:\n          type: string\n          x-dcl-go-name: Etag\n          readOnly: true\n          description: This checksum is computed by the server based on the value\n            of other fields, and may be sent on update and delete requests to ensure\n            the client has an up-to-date value before proceeding.\n          x-kubernetes-immutable: true\n        extraInfo:\n          type: string\n          x-dcl-go-name: ExtraInfo\n          readOnly: true\n          description: '[Output only] extra info are returned when user choose FULL\n            view in GetInstance request. It is demo for partial response.'\n          x-kubernetes-immutable: true\n        freezeRecipe:\n          type: object\n          x-dcl-go-name: FreezeRecipe\n          x-dcl-go-type: InstanceFreezeRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceFreezeRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceFreezeRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceFreezeRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceFreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceFreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceFreezeRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceFreezeRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceFreezeRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceFreezeRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceFreezeRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceFreezeRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceFreezeRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceFreezeRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceFreezeRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceFreezeRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        history:\n          type: array\n          x-dcl-go-name: History\n          description: Each call to the CLH that processed a step of some CLH recipe.\n          x-dcl-send-empty: true\n          x-dcl-list-type: list\n          items:\n            type: object\n            x-dcl-go-type: InstanceHistory\n            properties:\n              description:\n                type: string\n                x-dcl-go-name: Description\n              operationHandle:\n                type: string\n                x-dcl-go-name: OperationHandle\n              p4ServiceAccount:\n                type: string\n                x-dcl-go-name: P4ServiceAccount\n              stepIndex:\n                type: integer\n                format: int64\n                x-dcl-go-name: StepIndex\n              tenantProjectId:\n                type: string\n                x-dcl-go-name: TenantProjectId\n              tenantProjectNumber:\n                type: integer\n                format: int64\n                x-dcl-go-name: TenantProjectNumber\n              timestamp:\n                type: string\n                format: date-time\n                x-dcl-go-name: Timestamp\n        host:\n          type: string\n          x-dcl-go-name: Host\n          readOnly: true\n          description: '[Output only] Hostname or IP address of the instance endpoint.'\n          x-kubernetes-immutable: true\n        labels:\n          type: object\n          additionalProperties:\n            type: string\n          x-dcl-go-name: Labels\n          description: Resource labels to represent user provided metadata\n        location:\n          type: string\n          x-dcl-go-name: Location\n          description: The location for the resource\n          x-kubernetes-immutable: true\n        mutateUserId:\n          type: integer\n          format: int64\n          x-dcl-go-name: MutateUserId\n          readOnly: true\n          description: '[Output only] Gaia ID observed by the CLH from the last mutation.'\n          x-kubernetes-immutable: true\n        name:\n          type: string\n          x-dcl-go-name: Name\n          description: Unique name of the resource.\n        notifyKeyAvailableRecipe:\n          type: object\n          x-dcl-go-name: NotifyKeyAvailableRecipe\n          x-dcl-go-type: InstanceNotifyKeyAvailableRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceNotifyKeyAvailableRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceNotifyKeyAvailableRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        notifyKeyUnavailableRecipe:\n          type: object\n          x-dcl-go-name: NotifyKeyUnavailableRecipe\n          x-dcl-go-type: InstanceNotifyKeyUnavailableRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceNotifyKeyUnavailableRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        port:\n          type: integer\n          format: int64\n          x-dcl-go-name: Port\n          readOnly: true\n          description: '[Output only] The port number of the instance endpoint.'\n          x-kubernetes-immutable: true\n        preprocessCreateRecipe:\n          type: object\n          x-dcl-go-name: PreprocessCreateRecipe\n          x-dcl-go-type: InstancePreprocessCreateRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessCreateRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessCreateRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessCreateRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessCreateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessCreateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessCreateRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessCreateRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessCreateRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessCreateRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessCreateRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessCreateRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessCreateRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessCreateRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessCreateRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessCreateRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessDeleteRecipe:\n          type: object\n          x-dcl-go-name: PreprocessDeleteRecipe\n          x-dcl-go-type: InstancePreprocessDeleteRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessDeleteRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessDeleteRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessDeleteRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessDeleteRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessDeleteRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessDeleteRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessDeleteRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessDeleteRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessDeleteRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessDeleteRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessDeleteRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessDeleteRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessDeleteRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessDeleteRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessDeleteRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessFreezeRecipe:\n          type: object\n          x-dcl-go-name: PreprocessFreezeRecipe\n          x-dcl-go-type: InstancePreprocessFreezeRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessFreezeRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessFreezeRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessFreezeRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessFreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessFreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessFreezeRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessFreezeRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessFreezeRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessFreezeRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessFreezeRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessFreezeRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessFreezeRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessFreezeRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessFreezeRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessFreezeRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessGetRecipe:\n          type: object\n          x-dcl-go-name: PreprocessGetRecipe\n          x-dcl-go-type: InstancePreprocessGetRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessGetRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessGetRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessGetRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessGetRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessGetRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessGetRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessGetRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessGetRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessGetRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessGetRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessGetRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessGetRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessGetRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessGetRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessGetRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessPassthroughRecipe:\n          type: object\n          x-dcl-go-name: PreprocessPassthroughRecipe\n          x-dcl-go-type: InstancePreprocessPassthroughRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessPassthroughRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessPassthroughRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessReconcileRecipe:\n          type: object\n          x-dcl-go-name: PreprocessReconcileRecipe\n          x-dcl-go-type: InstancePreprocessReconcileRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessReconcileRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessReconcileRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessReconcileRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessReconcileRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessReconcileRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessReconcileRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessReconcileRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessReconcileRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessReconcileRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessReconcileRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessReconcileRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessReconcileRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessReconcileRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessReconcileRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessReconcileRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessRepairRecipe:\n          type: object\n          x-dcl-go-name: PreprocessRepairRecipe\n          x-dcl-go-type: InstancePreprocessRepairRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessRepairRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessRepairRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessRepairRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessRepairRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessRepairRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessRepairRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessRepairRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessRepairRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessRepairRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessRepairRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessRepairRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessRepairRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessRepairRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessRepairRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessRepairRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessReportInstanceHealthRecipe:\n          type: object\n          x-dcl-go-name: PreprocessReportInstanceHealthRecipe\n          x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessReportInstanceHealthRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessResetRecipe:\n          type: object\n          x-dcl-go-name: PreprocessResetRecipe\n          x-dcl-go-type: InstancePreprocessResetRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessResetRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessResetRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessResetRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessResetRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessResetRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessResetRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessResetRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessResetRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessResetRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessResetRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessResetRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessResetRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessResetRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessResetRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessResetRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessUnfreezeRecipe:\n          type: object\n          x-dcl-go-name: PreprocessUnfreezeRecipe\n          x-dcl-go-type: InstancePreprocessUnfreezeRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessUnfreezeRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessUnfreezeRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        preprocessUpdateRecipe:\n          type: object\n          x-dcl-go-name: PreprocessUpdateRecipe\n          x-dcl-go-type: InstancePreprocessUpdateRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstancePreprocessUpdateRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstancePreprocessUpdateRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstancePreprocessUpdateRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstancePreprocessUpdateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstancePreprocessUpdateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessUpdateRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstancePreprocessUpdateRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstancePreprocessUpdateRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstancePreprocessUpdateRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstancePreprocessUpdateRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstancePreprocessUpdateRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstancePreprocessUpdateRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstancePreprocessUpdateRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstancePreprocessUpdateRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstancePreprocessUpdateRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        project:\n          type: string\n          x-dcl-go-name: Project\n          description: The project for the resource\n          x-kubernetes-immutable: true\n          x-dcl-references:\n          - resource: Cloudresourcemanager/Project\n            field: name\n            parent: true\n        publicResourceViewOverride:\n          type: string\n          x-dcl-go-name: PublicResourceViewOverride\n        readUserId:\n          type: integer\n          format: int64\n          x-dcl-go-name: ReadUserId\n          readOnly: true\n          description: '[Output only] Gaia ID observed by the CLH when read.'\n          x-kubernetes-immutable: true\n        readonlyRecipe:\n          type: object\n          x-dcl-go-name: ReadonlyRecipe\n          x-dcl-go-type: InstanceReadonlyRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceReadonlyRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceReadonlyRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceReadonlyRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceReadonlyRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceReadonlyRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceReadonlyRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceReadonlyRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceReadonlyRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceReadonlyRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceReadonlyRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceReadonlyRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceReadonlyRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceReadonlyRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceReadonlyRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceReadonlyRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        reconcileRecipe:\n          type: object\n          x-dcl-go-name: ReconcileRecipe\n          x-dcl-go-type: InstanceReconcileRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceReconcileRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceReconcileRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceReconcileRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceReconcileRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceReconcileRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceReconcileRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceReconcileRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceReconcileRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceReconcileRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceReconcileRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceReconcileRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceReconcileRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceReconcileRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceReconcileRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceReconcileRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        references:\n          type: array\n          x-dcl-go-name: References\n          description: Optional list of references that currently exist for this resource.\n          x-dcl-send-empty: true\n          x-dcl-list-type: list\n          items:\n            type: object\n            x-dcl-go-type: InstanceReferences\n            required:\n            - type\n            - sourceResource\n            properties:\n              createTime:\n                type: string\n                format: date-time\n                x-dcl-go-name: CreateTime\n                readOnly: true\n                description: Output only. The creation time.\n              details:\n                type: array\n                x-dcl-go-name: Details\n                description: 'Details of the reference type with no implied semantics.\n                  Cumulative size of the field must not be more than 1KiB. Note: For\n                  the Arcus Reference API, you must add the proto you store in this\n                  field to http://cs/symbol:cloud.cluster.reference.ReferencePayload'\n                x-dcl-send-empty: true\n                x-dcl-list-type: list\n                items:\n                  type: object\n                  x-dcl-go-type: InstanceReferencesDetails\n                  properties:\n                    typeUrl:\n                      type: string\n                      x-dcl-go-name: TypeUrl\n                      description: 'A URL/resource name that uniquely identifies the\n                        type of the serialized protocol buffer message. This string\n                        must contain at least one \"/\" character. The last segment\n                        of the URL''s path must represent the fully qualified name\n                        of the type (as in `path/google.protobuf.Duration`). The name\n                        should be in a canonical form (e.g., leading \".\" is not accepted).\n                        In practice, teams usually precompile into the binary all\n                        types that they expect it to use in the context of Any. However,\n                        for URLs which use the scheme `http`, `https`, or no scheme,\n                        one can optionally set up a type server that maps type URLs\n                        to message definitions as follows: * If no scheme is provided,\n                        `https` is assumed. * An HTTP GET on the URL must yield a\n                        google.protobuf.Type value in binary format, or produce an\n                        error. * Applications are allowed to cache lookup results\n                        based on the URL, or have them precompiled into a binary to\n                        avoid any lookup. Therefore, binary compatibility needs to\n                        be preserved on changes to types. (Use versioned type names\n                        to manage breaking changes.) Note: this functionality is not\n                        currently available in the official protobuf release, and\n                        it is not used for type URLs beginning with type.googleapis.com.\n                        Schemes other than `http`, `https` (or the empty scheme) might\n                        be used with implementation specific semantics.'\n                    value:\n                      type: string\n                      x-dcl-go-name: Value\n                      description: Must be a valid serialized protocol buffer of the\n                        above specified type.\n              name:\n                type: string\n                x-dcl-go-name: Name\n                readOnly: true\n                description: Output only. Resource name of the reference. Includes\n                  target resource as a parent and reference uid `{target_resource}/references/{reference_id}`.\n                  For example, `projects/{my-project}/locations/{location}/instances/{my-instance}/references/{xyz}`.\n                x-dcl-server-generated-parameter: true\n              sourceResource:\n                type: string\n                x-dcl-go-name: SourceResource\n                description: 'Required. Full resource name of the resource which refers\n                  the target resource. For example: //tpu.googleapis.com/projects/myproject/nodes/mynode'\n              type:\n                type: string\n                x-dcl-go-name: Type\n                description: Required. Type of the reference. A service might impose\n                  limits on number of references of a specific type.\n        repairRecipe:\n          type: object\n          x-dcl-go-name: RepairRecipe\n          x-dcl-go-type: InstanceRepairRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceRepairRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceRepairRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceRepairRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceRepairRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceRepairRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceRepairRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceRepairRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceRepairRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceRepairRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceRepairRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceRepairRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceRepairRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceRepairRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceRepairRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceRepairRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        reportInstanceHealthRecipe:\n          type: object\n          x-dcl-go-name: ReportInstanceHealthRecipe\n          x-dcl-go-type: InstanceReportInstanceHealthRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceReportInstanceHealthRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceReportInstanceHealthRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        reservedIPRange:\n          type: string\n          x-dcl-go-name: ReservedIPRange\n          description: The CIDR range of internal addresses reserved for this instance.\n            For example, 10.0.0.0/29 or 192.168.0.0/29. Ranges must be unique and\n            non-overlapping with existing subnets in a network.\n        resetRecipe:\n          type: object\n          x-dcl-go-name: ResetRecipe\n          x-dcl-go-type: InstanceResetRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceResetRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceResetRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceResetRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceResetRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceResetRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceResetRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceResetRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceResetRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceResetRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceResetRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceResetRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceResetRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceResetRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceResetRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceResetRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        sku:\n          type: object\n          x-dcl-go-name: Sku\n          x-dcl-go-type: InstanceSku\n          description: The instance SKU.\n          properties:\n            size:\n              type: string\n              x-dcl-go-name: Size\n              x-dcl-go-type: InstanceSkuSizeEnum\n              description: 'The instance size. Possible values: SIZE_UNSPECIFIED,\n                C1, C2'\n              enum:\n              - SIZE_UNSPECIFIED\n              - C1\n              - C2\n            tier:\n              type: string\n              x-dcl-go-name: Tier\n              x-dcl-go-type: InstanceSkuTierEnum\n              description: 'The service tier. Possible values: TIER_UNSPECIFIED, STANDALONE,\n                REPLICATED'\n              enum:\n              - TIER_UNSPECIFIED\n              - STANDALONE\n              - REPLICATED\n        state:\n          type: string\n          x-dcl-go-name: State\n          x-dcl-go-type: InstanceStateEnum\n          readOnly: true\n          description: '[Output only] The current state of the instance. Possible\n            values: STATUS_UNSPECIFIED, CREATING, READY, UPDATING, DELETING, REPAIRING'\n          x-kubernetes-immutable: true\n          enum:\n          - STATUS_UNSPECIFIED\n          - CREATING\n          - READY\n          - UPDATING\n          - DELETING\n          - REPAIRING\n        statusMessage:\n          type: string\n          x-dcl-go-name: StatusMessage\n          readOnly: true\n          description: '[Output only] Additional information if available.'\n          x-kubernetes-immutable: true\n        uid:\n          type: string\n          x-dcl-go-name: Uid\n          description: '[Output only]'\n        unfreezeRecipe:\n          type: object\n          x-dcl-go-name: UnfreezeRecipe\n          x-dcl-go-type: InstanceUnfreezeRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceUnfreezeRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceUnfreezeRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceUnfreezeRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceUnfreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceUnfreezeRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceUnfreezeRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceUnfreezeRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceUnfreezeRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceUnfreezeRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceUnfreezeRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceUnfreezeRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceUnfreezeRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceUnfreezeRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceUnfreezeRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceUnfreezeRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        updateRecipe:\n          type: object\n          x-dcl-go-name: UpdateRecipe\n          x-dcl-go-type: InstanceUpdateRecipe\n          properties:\n            delayToStoreResourcesInClhDbNanos:\n              type: integer\n              format: int64\n              x-dcl-go-name: DelayToStoreResourcesInClhDbNanos\n              description: Amount of time (in nanoseconds) takes for clh to store\n                the resources listed in resource_names_stored_in_clh_with_delay in\n                its DB and then return 200. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after that it will work normally. resource_names_stored_in_clh_with_delay\n                and delay_to_store_resources_in_clh_db_nanos are internetd to use\n                together.\n            honorCancelRequest:\n              type: boolean\n              x-dcl-go-name: HonorCancelRequest\n              description: When set to true, CLH will return CANCELLED status on DONE\n                if CCFE passed the cancellation bit.\n            ignoreRecipeAfter:\n              type: integer\n              format: int64\n              x-dcl-go-name: IgnoreRecipeAfter\n              description: Absolute time (in nanoseconds) that specifies (if non-zero)\n                after which this recipe should be ignored and not executed.\n            populateOperationResult:\n              type: boolean\n              x-dcl-go-name: PopulateOperationResult\n              description: When set to true, CLH will populate the Operation.Result,\n                Operation.Result is optional and if it's not populated CCFE will use\n                resourceViews to populate it.\n            readonlyRecipeStartTime:\n              type: string\n              format: date-time\n              x-dcl-go-name: ReadonlyRecipeStartTime\n              description: Usually recipe start_time is calculated by operation.start_time\n                but in readonly requests we won't have that, this field will act as\n                an override for recipe start_time.\n            resourceNamesStoredInClhWithDelay:\n              type: array\n              x-dcl-go-name: ResourceNamesStoredInClhWithDelay\n              description: 'Resource names listed here will be returned to CCFE with\n                resource_status=NOT_FOUND, instructing CCFE not to return them as\n                part of Get/List calls. Any Get/List call on these resources received\n                earlier than readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                will return 404. after readonly_recipe_start_time+delay_to_store_resources_in_clh_db_nanos\n                it will work normally and return the resource. example usage: [\"instance1\",\n                \"instance2\"] resource_names_stored_in_clh_with_delay and delay_to_store_resources_in_clh_db_nanos\n                are internetd to use together.'\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: string\n                x-dcl-go-type: string\n            steps:\n              type: array\n              x-dcl-go-name: Steps\n              x-dcl-send-empty: true\n              x-dcl-list-type: list\n              items:\n                type: object\n                x-dcl-go-type: InstanceUpdateRecipeSteps\n                properties:\n                  action:\n                    type: string\n                    x-dcl-go-name: Action\n                    x-dcl-go-type: InstanceUpdateRecipeStepsActionEnum\n                    description: 'Action to perform. Possible values: NO_ACTION, ALLOW,\n                      ALLOW_WITH_LOG, DENY, DENY_WITH_LOG, LOG'\n                    enum:\n                    - NO_ACTION\n                    - ALLOW\n                    - ALLOW_WITH_LOG\n                    - DENY\n                    - DENY_WITH_LOG\n                    - LOG\n                  clhDataUpdateTime:\n                    type: string\n                    format: date-time\n                    x-dcl-go-name: ClhDataUpdateTime\n                    description: Optional timestamp simulating a write to a CLH-owned\n                      database.\n                  description:\n                    type: string\n                    x-dcl-go-name: Description\n                    description: Description to store in CLHCallHistory history. Defaults\n                      to a string provided by CLH (typically RPC name with parameters).\n                  errorSpace:\n                    type: string\n                    x-dcl-go-name: ErrorSpace\n                    description: If not empty, causes returned error to be in the\n                      specified space.\n                  keyNotificationsUpdate:\n                    type: object\n                    x-dcl-go-name: KeyNotificationsUpdate\n                    x-dcl-go-type: InstanceUpdateRecipeStepsKeyNotificationsUpdate\n                    description: Optional update to be applied to the key_notifications\n                      field (which KMS keys to watch and how to watch them).\n                    properties:\n                      keyNotificationsInfo:\n                        type: object\n                        x-dcl-go-name: KeyNotificationsInfo\n                        x-dcl-go-type: InstanceUpdateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfo\n                        properties:\n                          dataVersion:\n                            type: integer\n                            format: int64\n                            x-dcl-go-name: DataVersion\n                            description: The version number of this configuration.\n                              Any update is only applied if a new watched key has\n                              a higher version number than the current watched key\n                          delegate:\n                            type: string\n                            x-dcl-go-name: Delegate\n                            description: 'The MDB role to delegate KMS grant to so\n                              CCFE can register the key to be watched on behalf of\n                              the CLH. Should be of the format: \"serviceaccount:@prod.google.com\"\n                              This field will always be populated by CCFE and cannot\n                              be updated by the CLH.'\n                          keyNotificationConfigs:\n                            type: array\n                            x-dcl-go-name: KeyNotificationConfigs\n                            description: The keys, if any, about which notifications\n                              should be sent, along with any configuration options\n                              controlling notification behavior. If absent, all the\n                              watched keys are unregistered.\n                            x-dcl-send-empty: true\n                            x-dcl-list-type: list\n                            items:\n                              type: object\n                              x-dcl-go-type: InstanceUpdateRecipeStepsKeyNotificationsUpdateKeyNotificationsInfoKeyNotificationConfigs\n                              properties:\n                                delegatorGaiaId:\n                                  type: integer\n                                  format: int64\n                                  x-dcl-go-name: DelegatorGaiaId\n                                  description: The gaia id of the p4sa used as the\n                                    delegator in the call to DelegateGrant.\n                                grant:\n                                  type: string\n                                  x-dcl-go-name: Grant\n                                  description: The grant that gives CCFE access to\n                                    check key state. This should be a grant that gives\n                                    the user specified in KeyNotificationsInfo.delegate\n                                    access to the key (see go/grants-mvp-1pager).\n                                keyOrVersionName:\n                                  type: string\n                                  x-dcl-go-name: KeyOrVersionName\n                                  description: The key or version name to watch. This\n                                    should not be a grant.\n                  p4ServiceAccount:\n                    type: string\n                    x-dcl-go-name: P4ServiceAccount\n                    description: If not empty, instruct CLH to assert the p4 service\n                      account passed in projects metadata. Note this action is not\n                      supported in hermetic envs.\n                  permissionsInfo:\n                    type: array\n                    x-dcl-go-name: PermissionsInfo\n                    description: permission info list to be requested\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceUpdateRecipeStepsPermissionsInfo\n                      properties:\n                        apiAttrs:\n                          $ref: '#/components/schemas/Googleprotobufstruct'\n                          x-dcl-go-name: ApiAttrs\n                        iamPermissions:\n                          type: array\n                          x-dcl-go-name: IamPermissions\n                          description: Contains the iam permission. [required]\n                          x-dcl-send-empty: true\n                          x-dcl-list-type: list\n                          items:\n                            type: object\n                            x-dcl-go-type: InstanceUpdateRecipeStepsPermissionsInfoIamPermissions\n                            properties:\n                              permission:\n                                type: string\n                                x-dcl-go-name: Permission\n                                description: It represents iam permission, for example\n                                  \"arcus2tier2.instance.create\". It cannot be empty\n                                  or \"iam.permissions.none\". [required]\n                        policyName:\n                          type: object\n                          x-dcl-go-name: PolicyName\n                          x-dcl-go-type: InstanceUpdateRecipeStepsPermissionsInfoPolicyName\n                          description: PolicyName contains the policy id and type.\n                            This field is required unless PolicyNameMode is set to\n                            FROM_RESOURCE_PATH. [optional]\n                          properties:\n                            id:\n                              type: string\n                              x-dcl-go-name: Id\n                              description: Identifies an instance of the type. ID\n                                format varies by type. The ID format is defined in\n                                the IAM .service file that defines the type, either\n                                in path_mapping or in a comment.\n                            region:\n                              type: string\n                              x-dcl-go-name: Region\n                              description: 'For Cloud IAM: The location of the Policy.\n                                Must be empty or \"global\" for Policies owned by global\n                                IAM. Must name a region from prodspec/cloud-iam-cloudspec\n                                for Regional IAM Policies, see go/iam-faq#where-is-iam-currently-deployed.\n                                For Local IAM: This field should be set to \"local\".'\n                            type:\n                              type: string\n                              x-dcl-go-name: Type\n                              description: 'Resource type. Types are defined in IAM''s\n                                .service files. Valid values for type might be ''gce'',\n                                ''gcs'', ''project'', ''account'' etc. TODO(b/112599007):\n                                annotate this as holding the resource scope when that\n                                is supported'\n                        policyNameMode:\n                          type: string\n                          x-dcl-go-name: PolicyNameMode\n                          x-dcl-go-type: InstanceUpdateRecipeStepsPermissionsInfoPolicyNameModeEnum\n                          description: 'By default, dynamic IAM uses the PolicyName\n                            generated by CLH. This field overrides the default setting.\n                            Not supported by CCFE yet, refer to b/195547296. [Optional]\n                            Possible values: UNSPECIFIED, FROM_POLICY_NAME, FROM_RESOURCE_PATH'\n                          enum:\n                          - UNSPECIFIED\n                          - FROM_POLICY_NAME\n                          - FROM_RESOURCE_PATH\n                        resourcePath:\n                          type: string\n                          x-dcl-go-name: ResourcePath\n                          description: ResourcePath is used for cloud audit logging.\n                            ResourcePath is also used for constructing the permission\n                            denied error message when permission is denied. If resource_path\n                            is provided, permission denied error message would be\n                            \"Permission X denied on resource Y\" else error message\n                            would be \"Permission X denied on resource (or it may not\n                            exist)\". If PolicyNameMode is set to FROM_RESOURCE_PATH\n                            mode, ResourcePath is used for building IAM PolicyName\n                            by CCFE. [required]\n                  preprocessUpdate:\n                    type: object\n                    x-dcl-go-name: PreprocessUpdate\n                    x-dcl-go-type: InstanceUpdateRecipeStepsPreprocessUpdate\n                    description: Optional update to be applied to the operation metadata\n                      update if the recipe needs to initialize the operation metadata\n                      during preprocess\n                    properties:\n                      latencySloBucketName:\n                        type: string\n                        x-dcl-go-name: LatencySloBucketName\n                      publicOperationMetadata:\n                        type: string\n                        x-dcl-go-name: PublicOperationMetadata\n                        description: Optional public operation metadata to be returned\n                          by Preprocess calls LROs. The value must be serialized using\n                          the protojson.AnyToString. CLH recipe code will de-serialize\n                          it using the protojson.StringToAny.\n                  publicErrorMessage:\n                    type: string\n                    x-dcl-go-name: PublicErrorMessage\n                    description: Public error message specified by CLH.\n                  publicOperationMetadata:\n                    type: string\n                    x-dcl-go-name: PublicOperationMetadata\n                    description: Optional public operation metadata to be returned\n                      by Apply calls LROs. The value must be serialized using the\n                      protojson.AnyToString. CLH recipe code will de-serialize it\n                      using the protojson.StringToAny.\n                  quotaRequestDeltas:\n                    type: array\n                    x-dcl-go-name: QuotaRequestDeltas\n                    description: The quota usage delta to be charged. NOT an absolute\n                      Desired number, but rather a delta.\n                    x-dcl-send-empty: true\n                    x-dcl-list-type: list\n                    items:\n                      type: object\n                      x-dcl-go-type: InstanceUpdateRecipeStepsQuotaRequestDeltas\n                      properties:\n                        amount:\n                          type: integer\n                          format: int64\n                          x-dcl-go-name: Amount\n                          description: How much quota is charged by the given resource.\n                        metricName:\n                          type: string\n                          x-dcl-go-name: MetricName\n                          description: The name of the metric to charge.\n                        quotaLocationName:\n                          type: string\n                          x-dcl-go-name: QuotaLocationName\n                          description: 'Location of the quota charge. If not present,\n                            it is assumed to be the same as the location of the target\n                            resource of the CLH call. Location should be the same\n                            as the location of the target resource of the CLH call,\n                            or an ancestor or descendant of that location. Example\n                            values: “global”, “us-central1”, “us-central1-a”. TODO(b/191688750):\n                            To be supported by CCFE.'\n                  relativeTime:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: RelativeTime\n                    description: Relative time (in nanoseconds) after which the step\n                      is to be run. The time is measured from the start of the operation.\n                  requestedTenantProject:\n                    type: object\n                    x-dcl-go-name: RequestedTenantProject\n                    x-dcl-go-type: InstanceUpdateRecipeStepsRequestedTenantProject\n                    description: The tenant project to be requested.\n                    properties:\n                      folder:\n                        type: string\n                        x-dcl-go-name: Folder\n                        description: Folder where to create this tenannt project.\n                          This field will override the corresponding field in TenantProjectConfig\n                          (google3/google/api/serviceconsumermanagement/v1/tenancy.proto).\n                          With this filed configured dynamicly, tenants can create\n                          per-region tenant project pool.\n                        x-dcl-references:\n                        - resource: Cloudresourcemanager/Folder\n                          field: name\n                      scope:\n                        type: string\n                        x-dcl-go-name: Scope\n                        x-dcl-go-type: InstanceUpdateRecipeStepsRequestedTenantProjectScopeEnum\n                        description: 'The scope of the tenant project. Note that if\n                          the tenant project tag is \"default\", it''s automatically\n                          treated as scope = PROJECT unless specified otherwise. [optional]\n                          Possible values: UNKNOWN_SCOPE, PROJECT, RESOURCE'\n                        enum:\n                        - UNKNOWN_SCOPE\n                        - PROJECT\n                        - RESOURCE\n                      tag:\n                        type: string\n                        x-dcl-go-name: Tag\n                        description: A tenant project tag. This is the same tag that\n                          is used by Tenancy Units API to identify a tenant project.\n                          It is unique within a specific Tenancy Unit. CLH should\n                          use a deterministic algorithm to generate a tag. For ex.,\n                          if service needs a tenant project per consumer network,\n                          consumer network name can be used to generate a tag. For\n                          ex., if consumer network name is \"my-network\", a tag could\n                          be \"sn-my-network\". Prefix \"sn-\" is used here, but CLH can\n                          use any prefix they like as long as it does not change from\n                          request to request. If a tenant project with tag \"sn-my-network\"\n                          is requested, CCFE will check if a tenant project with such\n                          a tag already exists. If it does, CCFE will reuses it. Otherwise\n                          CCFE will create a new tenant project. [required]\n                  resourceMetadataSize:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: ResourceMetadataSize\n                    description: size of resource metadata that CL should return\n                  sleepDuration:\n                    type: integer\n                    format: int64\n                    x-dcl-go-name: SleepDuration\n                    description: Amount of time (in nanoseconds) to sleep for when\n                      the step runs.\n                  status:\n                    type: object\n                    x-dcl-go-name: Status\n                    x-dcl-go-type: InstanceUpdateRecipeStepsStatus\n                    properties:\n                      code:\n                        type: integer\n                        format: int64\n                        x-dcl-go-name: Code\n                        description: The status code, which should be an enum value\n                          of google.rpc.Code.\n                      details:\n                        type: array\n                        x-dcl-go-name: Details\n                        description: A list of messages that carry the error details.\n                          There is a common set of message types for APIs to use.\n                        x-dcl-send-empty: true\n                        x-dcl-list-type: list\n                        items:\n                          type: object\n                          x-dcl-go-type: InstanceUpdateRecipeStepsStatusDetails\n                          properties:\n                            typeUrl:\n                              type: string\n                              x-dcl-go-name: TypeUrl\n                              description: 'A URL/resource name that uniquely identifies\n                                the type of the serialized protocol buffer message.\n                                This string must contain at least one \"/\" character.\n                                The last segment of the URL''s path must represent\n                                the fully qualified name of the type (as in `path/google.protobuf.Duration`).\n                                The name should be in a canonical form (e.g., leading\n                                \".\" is not accepted). In practice, teams usually precompile\n                                into the binary all types that they expect it to use\n                                in the context of Any. However, for URLs which use\n                                the scheme `http`, `https`, or no scheme, one can\n                                optionally set up a type server that maps type URLs\n                                to message definitions as follows: * If no scheme\n                                is provided, `https` is assumed. * An HTTP GET on\n                                the URL must yield a google.protobuf.Type value in\n                                binary format, or produce an error. * Applications\n                                are allowed to cache lookup results based on the URL,\n                                or have them precompiled into a binary to avoid any\n                                lookup. Therefore, binary compatibility needs to be\n                                preserved on changes to types. (Use versioned type\n                                names to manage breaking changes.) Note: this functionality\n                                is not currently available in the official protobuf\n                                release, and it is not used for type URLs beginning\n                                with type.googleapis.com. Schemes other than `http`,\n                                `https` (or the empty scheme) might be used with implementation\n                                specific semantics.'\n                            value:\n                              type: string\n                              x-dcl-go-name: Value\n                              description: Must be a valid serialized protocol buffer\n                                of the above specified type.\n                      message:\n                        type: string\n                        x-dcl-go-name: Message\n                        description: A developer-facing error message, which should\n                          be in English. Any user-facing error message should be localized\n                          and sent in the google.rpc.Status.details field, or localized\n                          by the client.\n                  updatedRepeatOperationDelaySec:\n                    type: number\n                    format: double\n                    x-dcl-go-name: UpdatedRepeatOperationDelaySec\n                    description: Updated repeat_operation_delay_sec in the operation\n                      metadata.\n            verifyDeadlineSecondsBelow:\n              type: number\n              format: double\n              x-dcl-go-name: VerifyDeadlineSecondsBelow\n              description: When set, CLH will verify that the RPC deadline (in seconds)\n                is less than the value set in the field.\n        updateTime:\n          type: string\n          format: date-time\n          x-dcl-go-name: UpdateTime\n          readOnly: true\n          description: '[Output only] The time the instance was updated.'\n          x-kubernetes-immutable: true\n        zone:\n          type: string\n          x-dcl-go-name: Zone\n          description: The zone where the instance will be provisioned.\n")

// 605931 bytes
// MD5: b858552b4459d16e10f28929fdba294b
